Why Security Teams Need to Virtual Patch

PUBLISHED ON July 8, 2019
LAST UPDATED August 19, 2021

We live in a world where new application security vulnerabilities are discovered daily. Additionally, the advent of botnets and crypto currency mining has increased the attractiveness of targets. There are two major techniques utilized by attackers to find vulnerable applications en masse:

  1. Run scanners against large portions of the Internet to look for common exploits, such as SQL injection, Remote Command Execution, etc. Virtually any poorly coded web application can be vulnerable to these attacks.
  2. Follow the security feeds for newly discovered vulnerabilities, create exploits and launch them against every public instance of the application. Well known platforms like WordPress and Drupal are especially susceptible to such an attack.

There is little debate that the best place to fix security issues is within the application code itself. However, that is not always feasible given the time that is required. A patch has to be created and tested before releasing it into production, so if the exploit exists in a third-party application, one has to wait for a vendor to release a patch, then test the upgrade, and only if nothing breaks, deploy it into production. These tasks can take days or weeks, and, in the meantime, your application is vulnerable. While the application fix is in progress, security teams need a virtual patch solution that reduces the risk level immediately.

What can a WAAP do?

Most legacy WAF engines can handle the first vulnerability exploit tactic above. After all, WAFs are designed to protect against these obvious attacks. However, where most WAFs fall short is in addressing the second exploit tactic ‚Äì time and time again, WAFs miss newly discovered exploits. And when they do, the application remains vulnerable until an application fix is implemented. That said, security teams can’t wait, which is why virtual patching is an effective approach. So with the right WAF, these vulnerabilities are not only quickly detected, they also can be handled quickly and in a matter of hours.

Take ThreatX, for example. ThreatX goes beyond the techniques that prevent legacy WAFs from detecting these attacks and leverages tactics that enable fast and accurate virtual patching. ThreatX implements two types of virtual patching:

  1. If a customer completes a penetration test, during which vulnerabilities were discovered, ThreatX can detect and protect most, if not all, vulnerabilities. And, can patch any additional vulnerabilities within minutes.
  2. CVE driven patching, as discussed next.

CVE Driven Patching

The ThreatX platform integrates an active application profiling feature, which enables us to detect technologies used by a web application. This information is correlated with CVE feeds, such as https://nvd.nist.gov/vuln/data-feeds. Automatically, CVEs associated with customer base technologies are identified via notification to ThreatX.

These CVEs are evaluated for potential risk and exploitability. ThreatX targets virtually patching high-risk issues within 24 hours. ThreatX uses two approaches for virtual patch implementation:

  1. Is vendor patch source code available? If so, ThreatX engineers can reverse engineer the vulnerability from the patch and craft a virtual patch rule to address it.
  2. For closed source applications, working proofs of concept are leveraged for protection validation.

No matter the type, ThreatX immediately informs all customers of a virtual patch once it has been released, assuring customers that they are protected.

Virtual patching is a highly effective defense in depth approach for newly identified vulnerability and exploit protection. Why? Because it can be completed in minutes and hours.  Long term, all applications should be fixing critical vulnerabilities for the most effective security risk reduction. As always, defense in layers is your best strategy.

Patch & Protect Web Apps & APIs with a Complete AppSec Solution | Learn More


About the Author

Andrew Useckas

Andrew has a varied career ranging from ethical hacking, penetration testing and security product development for the US Department of Defense, senior consulting positions for fortune 500 enterprises, and corporate CISO responsibilities for large enterprises. Andrew has an exceptional blend of software development skills combined with extensive knowledge and experience of the network and security industries.